<p>Using Struts 1 ActionForm is security-sensitive. For example, their use has led in the past to the following vulnerability:</p>
<ul>
  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114">CVE-2014-0114</a> </li>
</ul>
<p>All classes extending <code>org.apache.struts.action.Action</code> are potentially remotely reachable. The <code>ActionForm</code> object provided
as a parameter of the <code>execute</code> method is automatically instantiated and populated with the HTTP parameters. One should review the use of
these parameters to be sure they are used safely. </p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> some parameters of the ActionForm might not have been validated properly. </li>
  <li> dangerous parameter names are accepted. Example: accept a "class" parameter and use the form to populate JavaBean properties (see the
  CVE-2014-0114 above). </li>
  <li> there are unused fields which are not empty or undefined. </li>
</ul>
<p>You are at risk if you answered to any of these questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>All ActionForm's properties should be validated, including their size. Whenever possible, filter the parameters with a whitelist of valid values.
Otherwise, escape any sensitive character and constrain the values as much as possible.</p>
<p>Allow only non security-sensitive property names. All the ActionForm's property names should be whitelisted.</p>
<p>Unused fields should be constrained so that they are either empty or undefined.</p>
<h1>Noncompliant Code Example</h1>
<pre>
// Struts 1.1+
public final class CashTransferAction extends Action {

  public String fromAccount = "";
  public String toAccount = "";

  public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest req, HttpServletResponse res) throws Exception {
    // usage of the "form" object to call some services doing JDBC actions
    [...]
    return mapping.findForward(resultat);
  }
}
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP Top 10 2017 Category A1</a> - Injection </li>
  <li> <a href="https://cwe.mitre.org/data/definitions/105.html">MITRE, CWE-105</a>: Struts Form Field Without Validator </li>
</ul>
<h2>Deprecated</h2>
<p>This rule is deprecated, and will eventually be removed.</p>

